AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS Documentation » AWS CloudFormation » User Guide » Working with AWS CloudFormation Templates » Controlling User Access with AWS Identity and Access Management
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Controlling User Access with AWS Identity and Access Management

AWS CloudFormation integrates with AWS Identity and Access Management (IAM), a service that lets you do the following:

  • Create users and groups under your organization's AWS account

  • Easily share your AWS account resources between the users in the account

  • Assign unique security credentials to each user

  • Granularly control users access to services and resources

  • Get a single AWS bill for all users in the AWS account

  • Assign a role to an EC2 instance for secure access to your AWS Services from an application.

During the validation of your template, AWS CloudFormation also checks your template for capabilities that you should be aware of and acknowledge before creating the stack. Currently, AWS CloudFormation checks only for IAM resource capabilities. If your template contains IAM resources, AWS CloudFormation will fail to create the stack if you do not acknowledge the template’s creation of IAM resources.

Before you create a stack from such a template, you should be sure that you trust the source of the template since IAM resources can create or modify users, groups, and policies that control access to your AWS resources. If you decide to create or update a stack from a template containing IAM resources, you must acknowledge that capability during that operation. You can acknowledge that capability using the AWS CloudFormation console, command line, or API.

  • In the AWS CloudFormation console, check I acknowledge that this template may create IAM resources on the Specify Parameters page of the Create Stack or Update Stack wizards.

  • With the cfn-create-stack and cfn-update-stack commands, you must specify the CAPABILITY_IAM value for the --capabilities parameter.

  • With the CreateStack and UpdateStack APIs, you must specify the parameter Capabilities.member.1=CAPABILITY_IAM.

For example, you can use IAM with Amazon EC2 to control which users in your AWS account can create AMIs or launch instances.

Example 1: Allow only the group RegisteredDevelopers to access AWS CloudFormation APIs.

In this example, we create the following policy to attach to the RegisteredDevelopers group:

{
    "Statement":[ {
        "Effect":"Allow",
        "Action":[
            "cloudformation:CreateStack",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:VerifyTemplate"
        ],
        "Resource":"*",
    } ]
}

Only the developers in the RegisteredDevelopers group will be able to call the APIs listed.

In addition to the permissions required to access the AWS CloudFormation APIs itemized in the policy, the developers in the RegisteredDevelopers group will also have to have permission to create and describe the individual resources declared in the template. For example, if the template declares an Amazon SQS Queue, the developer creating a stack based on that template will need to have corresponding IAM permission for Amazon SQS.

AWS CloudFormation supports the following IAM resources:

For more information about IAM, go to:

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...